In recent days, security researchers at Cloudflare, Arbor Networks, and Chinese security firm Qihoo 360noticed that hackers are now abusing “Memcached” to amplify their DDoS attacks by an unprecedented factor of 51,200.
Memcached is a popular open-source and easily deployable distributed caching system that allows objects to be stored in memory and has been designed to work with a large number of open connections. Memcached server runs over TCP or UDP port 11211.
Dubbed Memcrashed by Cloudflare, the attack apparently abuses unprotected Memcached servers that have UDP enabled in order to deliver DDoS attacks 51,200 times their original strength, making it the most prominent amplification method ever used in the wild so far.
How Memcrashed DDoS Amplification Attack Works?
Like other amplification methods where hackers send a small request from a spoofed IP address to get a much larger response in return, Memcrashed amplification attack also works by sending a forged request to the targeted server (vulnerable UDP server) on port 11211 using a spoofed IP address that matches the victim’s IP.
According to the researchers, just a few bytes of the request sent to the vulnerable server can trigger the response of tens of thousands of times bigger.
“15 bytes of request triggered 134KB of response. This is amplification factor of 10,000x! In practice we’ve seen a 15-byte request result in a 750kB response (that’s a 51,200x amplification),” Cloudflare says.
According to the researchers, most of the Memcached servers being abused for amplification DDoS attacks are hosted at OVH, Digital Ocean, Sakura and other small hosting providers.
“At peak we’ve seen 260Gbps of inbound UDP memcached traffic. This is massive for a new amplification vector. But the numbers don’t lie. It’s possible because all the reflected packets are very large,” Cloudflare says.
Arbor Networks noted that the Memcached priming queries used in these attacks could also be directed towards TCP port 11211 on abusable Memcached servers.
But TCP is not currently considered a high-risk Memcached reflection/amplification vector because TCP queries cannot be reliably spoofed.
The popularly known DDoS amplification attack vectors that we reported in the past include poorly secured domain name system (DNS) resolution servers, which amplify volumes by about 50 times, and network time protocol (NTP), which increases traffic volumes by nearly 58 times.
Mitigation: How to Fix Memcached Servers?
One of the easiest ways to prevent your Memcached servers from being abused as reflectors is firewalling, blocking or rate-limiting UDP on source port 11211.
Since Memcached listens on INADDR_ANY and runs with UDP support enabled by default, administrators are advised to disable UDP support if they are not using it.
The attack size potentially created by Memcached reflection cannot be easily defended against by Internet Service Providers (ISPs), as long as IP spoofing is permissible on the internet.